invalidate sessions before login

packages/backend-core/src/middleware/passport/local.js

@@ -5,7 +5,10 @@ const env = require("../../environment")
 const { getGlobalUserByEmail } = require("../../utils")
 const { authError } = require("./utils")
 const { newid } = require("../../hashing")
-const { createASession } = require("../../security/sessions")
+const {
+  createASession,
+  invalidateSessions,
+} = require("../../security/sessions")
 const { getTenantId } = require("../../tenancy")
 
 const INVALID_ERR = "Invalid credentials"
@@ -53,6 +56,9 @@ exports.authenticate = async function (ctx, email, password, done) {
 
   // authenticate
   if (await compare(password, dbUser.password)) {
+    // invalidate all other sessions
+    await invalidateSessions(dbUser._id)
+
     const sessionId = newid()
     const tenantId = getTenantId()
     await createASession(dbUser._id, { sessionId, tenantId })

packages/backend-core/src/middleware/passport/third-party-common.js

@@ -4,7 +4,10 @@ const { generateGlobalUserID } = require("../../db/utils")
 const { saveUser } = require("../../utils")
 const { authError } = require("./utils")
 const { newid } = require("../../hashing")
-const { createASession } = require("../../security/sessions")
+const {
+  createASession,
+  invalidateSessions,
+} = require("../../security/sessions")
 const { getGlobalUserByEmail } = require("../../utils")
 const { getGlobalDB, getTenantId } = require("../../tenancy")
 const fetch = require("node-fetch")
@@ -76,6 +79,9 @@ exports.authenticateThirdParty = async function (
   // never prompt for password reset
   dbUser.forceResetPassword = false
 
+  // invalidate all other sessions
+  await invalidateSessions(dbUser._id)
+
   // create or sync the user
   let response
   try {